Introduction and Initial Configuration Flashcards
Why would anyone use a virtual Fortigate?
In large-scale networks that change rapidly and may have many tenants, equivalent processing power and distribution may be achievable using larger amounts of cheaper, general purpose hardware.
Why do virtual Fortigates have the same features as physical Fortigates, expect for hardware acceleration?
First, the hardware abstraction layer software for hypervisors is made by other vendors, not Fortinet.. Second, the purpose of generic virtual CPUs is to abstract the hardware details of hypervisors. That way, all VM guest OSs can run on a common platform, no matter the different hardware. Unlike vCPUs or vGPUs that use generic, non-optimal RAM and vCPUs for abstraction, SPU chips are optimized circuits. Therefore, a virtualized ASIC ship would not yield the same performance benefits as a physical SPU chip.
FOrtigate VMX and Fortigate Connector for Cisco ACI are what?
They are specialized versions of FortiOS and an API that allows you to orchestrate rapid network changes through standards, such as OpenStack for software-defined networking (SDN).
Fortigate VM is deployed as what?
A guest VM on the hypervisor.
Fortigate VMX is deployed where?
Inside a hypervisor’s virtual networks, between guest VMs.
What is Fortigate Connector for Cisco ACI?
It allows ACI to deploy physical or virtual Fortigate VMs for north-south traffic.
What are Fortigate VMs’ specifications?
Licenses: Max 1/2/3/4/8 vCPU
Hypervisor: VMWare, Hyper-V, KVM, Citrix Xen Server, Open Source Xen, Azure, Amazon AWS BYOL & on-demand
Memory: Max 1/2/4/8/12 GB
NICs: 2-4 virtual
Storage capacity: 40GB+
What are SPUs?
(security processing units) which are used for hardware acceleration. They include NPx and CPx processors.
What is NTurbo?
NTurbo offloads firewall sessions that include flow-based security profiles to NP6 or NP7 network processors. Without NTurbo, all firewall sessions that include flow-based security profiles are processed by the Fortigate CPU.
What are CPs?
Content Processors. These processors accelerate a wide range of important security processes such as virus scanning, attack detection, encryption and decryption. Most Fortigates include these.
What are SPs?
Security processors. They function the same as CPs, but instead accelerate processing of IPS.
What are NPs?
Network processors. They offload processing of high volume network traffic.
What more information can you provide about Fortinet’s CPs?
CP9 is not bound to an internet, thus works outside the direct flow of traffic. It provides high-speed cryptography and content inspection services.
This allows administrators to deploy advanced security on-demand without impacting network functionality.
What is NAT Mode?
Packets are routed based on layer 3. Each logical network interface has an IP address and Fortigate determines the outgoing or egress interface based on the destination IP and entries in routing tables.
What is transparent mode?
Packets are forwarded at Layer 2, like a switch. The device in transparent mode has an IP address used for management traffic.
What are VDOMs?
These are virtual domains, which divide a Fortigate device into two or more virtual devices that function as independent firewalls. Each VDOM can be configured for NAT or transparent mode.
What is Fortiguard?
FortiGuard Subscription Services provide Fortigates with up-to-date threat intelligence. Fortigates use Fortiguard by periodically requesting packages that contain a new engine and signatures, as well as querying the FDN on an individual URL or hostname.
What is FDN?
Fortiguard Distribution Network. It uses real-time queries, meaning Fortigate asks the FDN every time it scans for spam or filtered websites. Queries can use UDP or HTTPS for transport which are for speed, not fault tolerance. Thus, queries require a reliable Internet connection.
How do Fortigates validate the Fortiguard server certificate efficiently?
The Fortiguard server uses Online Certificate Status Protocol (OCSP) stapling technique. The Gate will only complete the TLS handshake with a Guard server that provides a good OCSP status for its certificate. Otherwise, the SSL connection will fail.
This occurs every 4 hours.
What are basic CLI commands of Fortigates?
get system status = current status of Fortigate
show full-configuration system interface : shows all attribute values of the interface
show system interface : shows non-default attribute values for the interface
What are Fortigate management protocols?
HTTPS, HTTP, PING, SSH. Telnet is not a visible option on the GUI.
What types of management protocols should be disabled?
HTTP and Telnet. Both are insecure protocols that do not support transport encryption.
What is CAPWAP?
CAPWAP is a Security Fabric connection used for FortiAP, FortiSwitch, and FortiExtender when they are managed by the Gate.
What is FortiTelemetry?
It is a protocol not for admin access, but are protocols used when packets have FortiGate as a destination IP. It is used specifically for managing FortiClients and the Security Fabric.
What is the One-Arm Sniffer interface type?
This interface is not assigned an address. It will run in promiscuous mode and receive a copy of the traffic from a mirrored port on a switch. It cannot make changes as the original packet is already processed by the switch.
What is link aggregation and why is it useful?
This logically binds multiple physical interfaces into a single channel. It increases bandwidth and provides redundancy between two network devices.
How do you enable DHCP on a Fortigate?
Select an interface (internal interface), select the Manual option, enter a static IP, and then enable the DHCP option.
What types of DNS can you configure on a Fortigate?
Forwarding: Fortigate will forward requests to a specified DNS server
Non-recursive: Fortigate uses it’s own database to resolve DNS requests.
Recursive: Fortigate queries its own database before forwarding unresolved requests to the external DNS servers.
How do you get the firmware version on a Fortigate from CLI?
get system status
How do you get a full start-up config backup from a Fortigate’s CLI?
full config backup
When restoring an encrypted system configuration file, in addition to needing the Fortigate model and firmware version from the time the configuration file was produced, what must you also provide?
The password to decrypt the file
